cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json
修改 ca-config.json
过期时间改为 439200h (50年) 或 263520h (30年)
profile www 中增加 "client auth"
修改 ca-csr.json
"CN" 默认域名
"hosts" 额外的域名或IP地址
"names" CA的组织信息
# 生成 CA 证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# 查看CA证书
openssl x509 -noout -text -in ca.pem
# 服务器csr
cfssl print-defaults csr > self-csr.json
"CN" 默认域名
"hosts" 额外的域名或IP地址
"names" CA的组织信息
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www self-csr.json | cfssljson -bare self
# 查看服务器证书
openssl x509 -noout -text -in self.pem
# 证书合并
cat self.pem ca.pem > self.crt
cp self-key.pem self.key
# nginx 部署
ssl_certificate self.crt;
ssl_certificate_key self.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AES:EECDH+CHACHA20;
# apache 参考
<VirtualHost :9443>
DocumentRoot "/myproject" #项目目录
SSLEngine on
SSLProtocol all -SSLv2 –SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLCertificateFile /xx/xx/self.pem
SSLCertificateKeyFile /xx/xx/self.key
SSLCertificateChainFile /xx/xx/ca.pem
</VirtualHost>
网友评论